Microsoft will disable ActiveX controls by default in the Office suite, starting in October with the release of Office 2024. Phasing out the software framework is likely related to numerous security vulnerabilities that have been exploited in the past.
Dating back to 1996, ActiveX has long been used for embedding interactive objects, such as buttons or forms, within Office documents. It was formerly used to load multimedia content, like videos, in Internet Explorer. However, it is not supported by Microsoft’s latest Edge browser.
With ActiveX disabled, Office users will no longer be able to interact with ActiveX objects or create new ones. But some legacy ActiveX objects will remain visible as static images.
“Starting in new Office 2024, the default configuration setting for ActiveX objects will change from ‘Prompt me before enabling all controls with minimal restrictions’ to ‘Disable all controls without notification,’” read a Sept. 6 entry in the Microsoft 365 Message Center.
“This change applies to the Win32 desktop versions of Word, Excel, PowerPoint, and Visio.”
SEE: What Is ShrinkLocker? New Ransomware Targets Microsoft BitLocker Encryption Feature
Changes will occur in stages
The update added that users of non-commercial versions of Office, such as Office Home & Student, will see a notification when they try to interact with an ActiveX object that reads: “The new default setting is equivalent to the existing DisableAllActiveX group policy setting.”
The rollout of the change will occur in stages. Office 2024 for Win32 desktop applications will see ActiveX controls disabled by default immediately upon launch. Microsoft 365 apps will follow suit in April 2025.
Users who still require the use of ActiveX in Office documents will have to manually enable the feature via settings adjustments in the Trust Center, registry edits, or group policy configurations.
How to enable ActiveX
To enable ActiveX controls from the default disabled setting, either:
- In an Office app, navigate to File → Options → Trust Center → Trust Center Settings → ActiveX Settings. Select the “Prompt me before enabling all controls with minimal restrictions” option.
- In the registry or Group Policy Management tool, navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security. Set “DisableAllActiveX” or “Disable All ActiveX” to “o.”
ActiveX has been plagued by vulnerabilities and cyberattacks
Over the years, ActiveX has been leveraged in attacks ranging from data theft to malware deployment. For instance, in 2018, security researchers found that the North Korean Andariel Group was using multiple ActiveX vulnerabilities to infect South Korean websites — and had done so over a number of years.
TrickBot, a notorious malware strain, has also been linked to ActiveX-based attacks. In 2020, hackers were found using the remote desktop ActiveX control to automatically execute a malware downloader embedded in a Word document. The document is delivered to the victim by a phishing email.
Similarly, in 2021, hackers were discovered using ActiveX in Office 365 documents to install Cobalt Strike beacons and establish persistent control.
Microsoft is reducing its attack surface by disabling Office features
In recent years, Microsoft has been on the warpath against some of its legacy Office features that are providing a plethora of entry points for bad actors. It started with the company expanding support for its Antimalware Scan Interface to Office 365 apps in 2018 to stem macro-based threats.
SEE: 6 Best Free Alternatives to Microsoft Word
In 2021, Microsoft expanded the AMSI defences again to include Excel 4.0 (XLM) scanning, detecting malicious macros and stopping them from running. The following year, it also disabled XLM by default in Excel and blocked VBA macros in files downloaded from the web. In 2023, XLL add-ins from untrusted locations were blocked by default, as bad actors were using them as part of phishing attacks.
